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Abstract 


We  present  a  Compositional  Proof  System  for  the  modal  //-calculus  and  a  generalized  version 
of  the  parallel  composition  in  CCS  [liri2].  The  proof  system  is  designed  for  inferring  global 
properties  of  a  system  from  the  local  properties  of  its  components.  This  allows  for  efficient 
verification  of  parallel  processes  by  decomposing  the  task  into  smaller  problems  of  verifying 
the  parallel  components  separately.  In  particularPthe  system  can  be  used  to  combine  model 
checking  [6]  with  theorem  proving.  Since  parallel  composition  causes  the  largest  blow-up  in 
the  number  of  statesPthis  technique  proposes  an  effective  solution  to  the  state  space  explosion 
problem.  The  Proof  System  is  implemented  in  PVS  theorem  prover  [ISjPand  the  proof  of  its 
soundness  was  thoroughly  checked  using  PVS  logic  as  a  metalanguage.  The  proof  strategy 
mechanism  of  PVS  can  be  used  to  achieve  some  degree  of  automation  in  a  proof  search. 


1  Introduction. 


In  this  paper  we  present  a  Compositional  Proof  System  for  the  modal  ju-calculus  and  CCS 
[IIP  12].  We  use  a  (slightly  modified  version  of)  CCS  as  a  model  of  concurrency.  Many 
systems  of  parallel  processes  can  be  expressed  as  CCS  processesP  and  then  checked  against 
specifications  in  the  modal  ^-calculus.  Following  Stirling  [14] Pour  proof  system  consists  of 
two  subsystems.  The  first  one  deals  with  model  checking  CCS  processes  without  the  parallel 
composition  operatorPi.e.  it  contains  proof  rules  for  sequents  of  the  form  p  h  $  (“process  p 
satisfies  a  formula  $”)Pand  is  described  in  detail  in  [8]  for  the  more  general  process  algebra 
of  Value  Passing  CCS  and  a  first  order  p-calculus.  The  other  subsystemP which  is  presented 
in  this  paperPis  devoted  to  a  parallel  composition  operator  and  is  designed  to  prove  sequents 
given  by  $11^  h  0  (“for  any  processes  p  and  q  satisfying  $  and  ^  respectivelyPthe  composite 
system  p||q  satisfies  0”).  These  two  proof  systems  with  an  additional  inference  rule  from  [14]: 

ph#  #11^1-0 
p||qh0 

result  in  a  compositional  proof  system  for  CCS  (now  with  parallel  composition  operator)  and 
the  modal  p-calculus.  Both  subprocesses  in  each  parallel  composition  operator  have  associated 
formulas  specifying  their  properties.  Whenever  we  axe  to  prove  a  property  of  a  parallel  compo- 
sitionPwe  first  prove  that  the  corresponding  properties  hold  for  each  componentPand  then  infer 
in  the  proof  system  that  the  global  property  of  the  composition  also  holds.  This  compositional 
step  substantially  simplifies  the  verification  problemPsince  it  avoids  building  the  whole  state 
space  for  the  parallel  composition  in  finite-state  case.  This  state  space  grows  exponentially  in 
the  number  of  processes  involvedPthus  causing  the  state  explosion  problem.  ThusPas  a  partic¬ 
ular  casePwe  propose  a  promising  method  of  combining  model  checking  with  theorem  provingP 
when  the  verification  of  the  components  is  accomplished  by  model  checking. 

Our  verification  framework  also  supports  a  compositional  design  in  the  sense  that  one  can  work 
out  specifications  for  all  the  parts  of  a  complex  system  and  prove  by  our  method  that  if  every 
component  satisfies  its  specificationPthen  the  whole  design  is  correct.  After  the  implementation 
it  is  enough  to  verify  each  component  separately.  Moreover  Pone  can  change  the  actual  imple¬ 
mentation  of  some  components  without  having  to  repeat  the  verification  of  the  entire  system 
as  soon  as  the  new  implementation  meets  its  local  requirements. 

Our  compositional  approach  differs  from  many  others  [2P3P5P7]  in  that  it  can  handle  the 
parallel  composition  operator  in  a  purely  compositional  way  and  at  the  same  time  remains 
general  for  the  full  CCS  and  the  full  modal  //-calculus.  In  [2P3P5]  the  parallel  composition 
operator  was  eliminated  basically  by  encoding  one  of  the  subprocesses  into  the  formula.  In 
the  worst  case  this  results  in  an  exponential  blow-up  in  the  size  of  the  formulaPand  the  total 
complexity  remains  the  same  as  for  non-compositional  model  checking  [6].  The  proof  system 
of  C.  Stirling  [14]  isPprobablyPthe  most  compositional  in  a  sense  that  it  clearly  reduces  the 
verification  problem  to  the  verification  of  components.  In  factPour  system  has  originated  from 
it.  But  Stirling  considers  the  Hennessy-Milner  logicPwhich  is  too  weak  to  be  of  much  interest 
in  practice.  The  proof  system  of  M.  Dam  [7]  is  also  very  close  in  spirit  to  oursFand  is  complete 
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for  finite-state  processes.  The  latter  systernrhoweverFuses  the  r  action  for  all  synchronizationsF 
and  in  the  rule  h  [r]  (that  corresponds  to  our  ([rl]))  there  have  to  be  as  many  premises  as 
there  are  actions  in  the  model.  ThereforeFone  can  only  have  a  finite  set  of  actionsFwhereas  our 
system  can  handle  infinite  sets  of  actions  as  well. 

The  proof  system  is  implemented  in  PVS  theorem  prover  [13].  The  PVS  specification  language 
is  used  as  a  metalanguage  to  specify  and  prove  the  soundness  of  all  the  inference  rules  and 
axioms.  The  proof  system  is  encoded  as  a  set  of  theoremsF  which  can  be  used  as  rewrite 
rules  while  a  proof  is  in  progress.  Since  PVS  has  a  built-in  model  checkerFboth  steps  of  the 
verification  of  finite-state  systemsFi.e.  model  checking  the  components  and  deriving  the  global 
propertyFcan  be  done  in  a  single  framework.  AlsoFPVS  provides  a  powerful  mechanism  of 
writing  proof  strategies  for  automated  proof  search  in  our  system. 

The  paper  is  organized  as  follows.  Section  2  describes  our  version  of  CCS.  Section  3  introduces 
the  modal  yu-calculus  [9]  (syntax  and  semantics) Fand  provides  some  examples  of  useful  prop¬ 
erties.  Section  4  describes  the  Compositional  Proof  System  and  shows  an  example  of  a  proof 
in  the  proof  system.  In  Section  5  we  argue  for  the  soundness  of  the  proof  systemFin  particular 
for  the  soundness  of  the  fixed  point  rules.  In  Section  6  we  discuss  the  issue  of  implementation 
in  PVS  and  two  examples  that  we  verified.  We  conclude  in  Section  7. 


2  The  Process  Algebra. 

We  use  the  standard  CCS  of  R.  Milner  [llF12]Fexcept  that  we  change  the  parallel  composition 
operator  and  the  means  of  synchronization.  The  importance  of  this  change  will  become  clear 
in  section  4Fwhere  we  need  it  to  simplify  the  compositional  inference  rules.  Instead  of  actions 
{a, . .  .}Fco-actions  {a, . . .}  and  the  special  action  rFwe  define  input  {o?, . .  .'\V output  {a!, . . .} 
and  neutral  {a, . . .}  actions  respectively.  We  will  denote  actions  of  arbitrary  type  by  Greek 
letters  7,5,.. ..  Now  two  processes  in  a  parallel  composition  may  synchronize  by  input  and 
output  actions  of  the  same  nameFyielding  the  corresponding  neutral  action  (one  might  write 
this  fact  as  a?  •  a!  =  a!  •  a?  =  <x).  In  other  wordsFwe  distinguish  between  r-actions  which  are 
formed  by  different  pairs  of  actions. 

Our  parallel  composition  operator  also  has  a  more  general  form  in  comparison  with  CCS:  prlU  9 
can  be  considered  roughly  as  {p  rF)|(g  t  A)  in  the  original  CCSF  where  F  and  A  are  sets  of 
action  symbols.  This  operator  is  taken  from  [2].  ThusFthe  abstract  grammar  of  our  CCS  is  the 
following: 

p  ::=  0  I  P  I  7.p  Ipo  +Pi  IpotHaPi  |p  1A  |p{H}. 

Here  0  is  the  n«7  process  (called  inaction  in  [ll])Fthat  can  not  perform  any  actionFP  is  a  process 
identifierTj.p  is  a  prefix  operatorFp-f  g  is  a  non-deterministic  choiceF  1 A  and  {E}  are  restriction 
and  relabelling.  Process  identifiers  are  declared  using  an  identifier  declaration  of  the  form 

P=p. 
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We  will  denote  the  set  of  all  CCS  processes  by  V.  The  operational  semantics  of  our  CCS  is 
shown  on  figure  1.  As  an  exampleFconsider  these  simple  processes: 


P  =  a.6!.P 
Q  =  6?.c.Q 
R  =  (Pr|UQ)rA, 

where  T  =  {a,  6!}rA  =  {6?,c}  and  A  =  {a,  6,  c}. 

The  process  R  is  combined  from  the  two  processes  P  and  QFthat  perform  asynchronous  actions 
a  and  c  and  are  forced  to  synchronize  by  6?  and  felFsince  6?,  6!  ^  A. 


3  The  Modal  Calculus. 

3.1  Syntax. 

Definition  1.  The  language  of  the  modal  ^-calculus  [9]  consists  of  the  following  alphabet: 

•  €:  PropT&ve  propositional  constant  symbols;  in  particularFwe  assume  the  exis¬ 
tence  of  two  constants  true  and  false; 

•  Ar,y, . . .  G  VarFare  propositional  variables; 

•  7, 5, ...  €  Act  are  action  symbols. 

We  assume  that  the  set  of  action  symbols  Act  consists  of  input  {a?, . .  .}F output  {a!, . . .}  and 
neutral  {a, . . .}  action  symbolsFin  order  to  ensure  compatibility  with  action  symbols  of  CCS 
from  the  previous  section. 

Formulas  are  defined  as  follows: 


1.  PFwhere  P  is  a  propositional  constant; 

2.  XFwhere  X  is  a  propositional  variable; 
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3.  $1  A  #2r$i  V  $2rwhere  and  #2  are  formulas; 

4.  (7)  $r[7]  $rwhere  7  €  Act  and  $  is  a  formula; 

5.  |uX.$ri/X.$rwhere  $  is  a  formula. 

Note  that  the  absence  of  negation  does  not  decrease  the  expressive  power  of  the  logicFsince 
we  can  always  rewrite  formulas  in  a  so-called  negation  normal  forrnVvAxeve  all  negations  are 
applied  to  atomic  formulas  only  (i.e.  to  propositional  constants  and  free  variables) Fand  then 
define  new  predicate  symbols  with  the  complement  interpretation:  C{P)  =  S  —  C{P)  (see  the 
next  subsection  for  semantics). 

For  exampleFsome  properties  of  processes  P,  Q  and  R  from  the  previous  section  can  be  expressed 
as: 

#  =  uX.{a)  (b!}X 
=  lyX.  (b?)  (c)  X 
0  =  lyX.  (a)/iY.((c}XV(b}Y) 

The  formulas  $  and  ^  say  that  the  corresponding  pairs  of  actions  can  repeat  infinitely  often. 
The  formula  0  says  that  after  a  and  some  finite  number  of  b’s  the  action  c  can  be  executedF 
and  this  pattern  can  repeat  infinitely  often. 

Now  we  describe  the  formal  semantics  of  the  logic. 


3.2  Semantics. 

A  model  (Kripke  structure)  is  a  tuple 

M  =  (S,-^,Act,e,£), 

where  5*  is  a  set  of  CCS  processesF^C  S  x  Act  x  5  is  the  transition  relation  defined  on 
figure  1  and  projected  on  ^Fe  ;  Var  2^  is  an  interpretation  of  variables  (environment) F 
and  £  :  Prop  -¥  2^  is  an  interpretation  of  propositional  constant  symbols.  In  order  to  be 
consistent  with  the  intuitive  semantics  of  CCS  and  [8]Fwe  will  also  assume  that  the  set  S  is 
closed  under  the  rules  of  figure  1  (i.e.  transition  closed).  Otherwise  we  may  have  a  situation 
whereFsayFthe  process  a.O  can  not  perform  the  action  a  in  the  modelFif  0  ^  5.  ThusFit  does 
not  satisfy  (a)  trueFwhich  is  counterintuitive.  This  restrictionFhoweverFis  not  necessary  and 
all  the  results  in  this  paper  remain  valid  without  it. 

The  semantic  function  l-l^e  assigns  semantic  sets  to  ju-calculus  formulasFand  is  defined  induc¬ 
tively  as  follows: 


[P^e  =  £(P);  =  e(X); 

in  paxticularFftrueJ^e  =  S,  |f  alse|^e  =  0 

|#i  A  $2l£e  =  n 

i$iV$2l£e=I#il^eU[$2l£e; 
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1(7)  =  {seS\3s'e  mc^  :  5  4  s'}; 

lI[7]$l£e  =  {s€5|Vs'€5:(34s')  e  I$Le}; 

=  U{^'  QS\S'C  |$l^e  [X  :=  S']} 
h^X.n^e  =  f]{S'  CS\S'D  [X  :=  S']} 

Here  the  updated  environment  e[X  :=  S']  coincides  with  e  on  all  variablesFexcept  maybe  XF 
and 

e  [X  :=  S']  {X)  =  S'. 

The  semantics  of  the  fixed  points  is  well-defined  by  Tarski’s  Fixed-point  Theorem  [15]Fsince 
all  formulas  are  negation  free.  ThusFthe  semantic  function  is  monotone  on  the  interpretation 
of  all  free  variables. 

We  will  write  p  |=^  $  for  p  €  l^l^eFand  will  often  omit  the  subscript  M  when  this  is 
unambiguous.  We  will  also  write  ^  to  mean  that  p  \=m  ^  holds  for  every  process  p  e  Sm^ 
and  1=  $  to  mean  that  }=m  ^  holds  for  all  modelsFor  is  valid  or  generally  true. 


3.3  Extensions. 

To  make  formulas  shorterFwe  will  use  compound  actions  (denoted  by  a,/3,. . .)  in  the  modal 
operators.  Compound  actions  are  formed  from  the  ordinary  actions  from  Act  using  the  (finitary 
or  infinitary)  union  operator:  a  U  /?Fwith  the  semantics  of  a  non-deterministic  choice.  More 
preciselyFthe  compound  actions  may  be  viewed  as  sets  of  actionsFwhere 

4=.,  U  4 

'y£oi 

ThusFthe  meaning  of  the  modalities  for  such  compound  actions  is  the  following: 

lc,|*s  AM*.  (a)4sV(7>*- 


4  The  Compositional  Proof  System. 

In  the  sequel  we  fix  a  model  M  -  {V,  Act,e,£)Fwhere  V  is  the  set  of  all  CCS  processes. 
We  choose  the  most  general  modelFsince  the  results  described  in  this  section  remain  valid  for 
all  practical  submodels  used  in  verification. 

Definition  2.  A  sequent  is  an  expression  of  the  form  Ha  ©Fwhere  #F^f  and  0  are 

formulasFand  FFA  and  A  C  Act  are  sets  of  action  symbols. 

The  meaning  of  sequents  for  p-calculus  formulas  can  be  expressed  as  follows: 

^rlU®  1=A  0  4=4^ 

Vp, q.(p  IF  H  ^  9  N  ^  (prlU  9)  1 A  f=  0). 
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We  apply  the  following  scheme  for  proving  the  correctness  of  composite  systems  of  the  form 
(ptIIa?)  fA:  assume  that  we  have  already  proven  that  p  IF  [=  $  and  TA  |=  for  some 
formulas  $  and  To  prove  that  (prlU  ^  A  |=  0  for  a  formula  0  it  is  sufficient  to  show  that 
$r||A  1=A  €)  is  valid.  In  other  wordsFwe  can  introduce  an  inference  rule: 

prrt-#  $r||A^  I-A0  q\A\-^ 

(pr||A9)rA[-0 

This  inference  rule  was  inspired  by  a  similar  rule  of  C.  Stirling  in  [14]. 

In  this  paper  we  elaborate  on  the  proof  system  for  sequents  of  type  #rllA  1"A  For  details 
on  the  proof  system  for  p  h  ^Fwhere  p  is  a  sequential  CCS  termFthe  reader  is  referred  to  [8]. 

In  our  proof  system  we  handle  fixed  points  by  assigning  tags  [IGFl]  to  the  fixed  point  operators. 
Intuitively  (although  simplified) Ftags  store  the  information  that  some  particular  sequents  have 
already  occurred  below  in  the  proof  treeF  assuming  that  the  tree  grows  up  from  the  goal  to 
axioms.  The  current  sequent  is  included  in  the  tag  of  a  fixed  point  formula  when  this  formula 
gets  unfolded.  If  the  same  sequent  appears  later  in  the  proofFit  is  considered  proved.  This  way 
of  reasoning  works  for  greatest  fixed  points  on  the  right  hand  side  and  for  least  fixed  points  on 
the  left  hand  side  of  the  ‘h’  sign.  In  practiceFwhen  unfolding  a  fixed  point  formulaFit  is  not 
necessary  to  include  the  whole  sequent  into  the  tag.  It  is  sufficient  to  store  only  the  two  other 
formulas  of  the  sequent.  ThusFformallyFtags  are  sets  of  pairs  of  formulas Fassociated  with  fixed 
point  operators. 

We  extend  the  syntax  of  formulas  by  tags  L  in  the  fixed  point  operators  as  follows: 


•  pX{T}$Fi/W{Z-}$Fwhere  L  is  a  finite  set  of  pairs  of  formulas.  I.e.FL  =  {(^i,  ^2),  •  • 

We  will  write  fixed  points  with  empty  tags  in  the  standard  p-calculus  syntaxFe.g.  instead 

of  pX{0}$Fand  will  not  distinguish  between  them. 

For  technical  reasonsFto  simplify  the  proof  of  soundnessFwe  have  developed  a  special  semantics 
for  sequents  with  tagged  formulasF  so  that  every  rule  in  the  proof  system  is  locally  soundF 
including  the  fixed  point  rules.  A  standard  way  to  prove  the  local  soundness  of  the  fixed  point 
rules  is  to  use  the  reduction  Lemma  4  [16F1]  (see  the  next  section).  In  order  to  apply  this  lemma 
hereFthe  semantics  of  the  sequent  $  rlU  ^  1=A  i^X{T}0  must  be  of  the  form  U  C  VFwhere  V 
is  the  (extended)  semantic  set  of  i/A’{L}0Fand  U  is  some  semantic  set  corresponding  to  the 
pair  ($,  ^).  To  apply  the  reduction  lemma  to  the  least  fixed  points  on  the  left  hand  side  (e.g. 
for  /iA'{L}$rllA  ^  I~a  0)Fwe  need  to  rewrite  the  semantics  of  the  sequent  into  an  equivalent 
form:  U'  C  y'Fwhere  U'  is  now  the  semantics  of  the  least  fixed  point  formula  /:iW{T}$Fand  V 
is  a  semantic  set  for  the  pair  (^,  0)Fpossibly  defined  differently  from  the  one  for  ($,  ^)  above. 

Before  introducing  the  new  semantics  of  sequentsF  define  the  extended  semantics  of  tagged 
formulas.  Assume  given  two  functions  and  fv  that  map  pairs  of  formulas  into  subsets  of  V 
(e.g.  //i($,  ^)  C  V).  Then  the  definition  of  the  extended  semantic  function  coincides 

with  the  one  of  [.J^e  from  Section  3  on  all  the  operators  except  the  fixed  points: 
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luX{L}^^/^’^^^e  =  Ui*?'  C  P  I  5'  C  I V  U  [X  :=  5']} 

=  n{<?'  CV\S'DlA  (1  [X  :=  5']} 

where 

[VLli/'‘’-^'^)e=  U  /.(^,«’)  and  [  A  =  fl 

($,«')€L  ($,®)€L 

In  particularF 

I  V  =  0  I A  0I^^''’-^‘'^e  =  "P. 

NoticeFthat  if  all  tags  in  a  formula  are  emptyFthen  its  extended  semantics  coincides  with  the 
semantics  defined  in  Section  3. 

We  need  to  provide  suitable  functions  that  assign  semantic  sets  to  pairs  of  formulasF  as  we 
discussed  above.  We  call  such  functions  composition  and  left/right  division  operations.  They 
are  introduced  in  Definition  4Fusing  an  additional  operation  of  T-closure  and  similar  operations 
for  sets  of  CCS  processes  from  Definition  3.  The  F-closure  adds  to  the  set  of  CCS  processes  all 
the  processes  that  are  not  of  the  form  (p  tF)  for  this  particular  F.  Lemma  1  allows  to  rewrite 
the  semantics  of  a  sequent  in  different  representations  (like  U  CV  and  U'  C  V'  above). 

Definition  3.  Let  ATB  and  C  be  subsets  of  V.  Define 

•  (^)''=d/{9l(3p:9  =  (prr))  q€A} 

•  {AtWa  B)  lA  =dj  {(prlU  q)  lA  I  (p  IF)  €  A  and  (q  r  A)  €  B} 

•  =4,  ({(p  tr)  I  for  all  (,  t  A)  €  B  :  (prlU  q)  lA  6  C})'' 

•  C'/?5;aA=4/({(9tA)|  forall(prr)G4l:  (prlU  «)  lA  e  C})'' 

Lemma  1.  For  B^C  CV  the  following  holds: 

(ArllaB)tACC  BCClf%\A 


Definition  4.  Let  FFA  and  A  be  subsets  of  Act.  Then  define 


=dj 

0 

quotl($, 

=df 

quotr($, 

=df 

par($,^) 

=dj 
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It  can  be  shown  that  this  mutual  recursion  is  well-defined.  NoteFthat  the  functions  quotlFquotr 
and  par  also  depend  on  FFA  and  AFalthough  we  do  not  include  these  parameters  for  the  sake 
of  readability.  The  semantics  of  the  sequent  $r||A  ^  |=a  ©  for  tagged  formulas  and  ©  is 
defined  as  follows  (with  the  same  FFA  and  A  in  par): 

$r||A®|=A©  par($,^)  C 

Lemma  2.  Assume  that  all  u-subformulas  in  $  and  ^  and  all  fi-subformulas  of  0  have  empty 
tags.  Then 

$r||^tK0  (Vp,9:(prr)€[4li‘'“‘'''>e  and  (,  r  A)  € 

(pr|U9)tA€[e]!5'""'e) 

We  will  define  a  sound  approximation  $  rlU  ^  l"A  0Ffor  which  we  can  build  a  proof  system.  In 
this  proof  system  all  the  proof  rules  preserve  the  conditions  of  Lemma  2.  ThereforeFif  we  start 
with  formulas  with  empty  tagsFthen  all  the  sequents  produced  during  the  proof  will  satisfy 
these  conditions. 

The  Compositional  Proof  System  consists  of  axioms  (fig.  2)  and  inference  rules  (fig.  3F4  and 
5).  We  say  that  a  sequent  $r||A  ^  Ha  ©  is  valid  if  there  is  a  derivation  of  this  sequent  in  the 
proof  system. 

We  will  not  show  all  the  rules  here;  we  provide  only  the  rules  dealing  with  the  leftmost  and 
the  rightmost  formulas  (labelledFe.g.  by  {I  [.]  1)  and  (r  [.])).  The  corresponding  rules  for  the 
middle  formula  are  symmetrical  with  those  for  the  left  formula  (referred  to  asFe.g.  (/  [.]2))F 
and  will  be  provided  in  the  full  version  of  the  paper. 

NoteFthat  we  could  not  have  most  of  the  axioms  and  modal  inference  rules  in  such  a  simple 
form  as  they  are  if  we  had  used  r-actions  instead  of  neutral  actions.  For  r-actionsFfor  exampleF 
the  rule  [rl]  (figure  5)  would  have  to  have  as  many  premises  as  there  are  synchronizable  pairs 
of  actions  in  F  and  AFor  the  formulas  $  and  $  would  have  certain  restrictions  on  all  the  other 
actions.  This  is  inconvenient  and  unnecessaryFsince  in  our  system  we  can  represent  the  action 
r  by  the  set  of  all  neutral  actions  a  that  arise  from  the  synchronous  execution  of  a?  and  a\.  In 
additionFwe  can  also  easily  prove  properties  for  only  those  synchronizations  we  are  interested 
in. 

An  Example  Proof.  We  will  show  here  a  short  example  proof  for  the  processes  P,  Q,  R  and 
their  specifications  $F^  and  0  described  in  Sections  2  and  3. 
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<^r||A«'  i-A  true 


falseriu®  Ha  0  ^rlUf  alse  I-a  6 

Ha  0  $rllAMA'{L}’®  Ha  0  $rl|A Ha  i^X{L}0 

if(®',0')GL  if($',0')ei'  if  ($',«')  ei- 

where  ^  and  0'  <  0  in  the  last  3  axioms. 

^rlU^  I-A  W© 

where  for  all  7  G  a  :  (7  0  A)  or  (7  ^  P  U  A  and  if  7  =  a  is  neutralPthen  {(a?,  a!),  (a!,  a?)}  H  P  X  A  =  0) 

[a]f  alserlU  t“A  [a]0  (o^  n  A  —  0)  (where  Va  G  a.  {(a?,  a!),  (a!,  a?)}n  P  X  A  =  0) 

(a)$rllA  «  I-A  0  (a  n  r  =  0)  #r||A  (/3>®  Ha  0  (/?  n  A  =  0) 

[o?]falser||A«  Ha  [a]0  $rllA  [aljfalse  I-a  [a]0 

where  (a!  ^  T  or  a?  ^  A)  and  a  ^  T  U  A  in  the  last  2  axioms. 


Figure  2:  Compositional  Proof  System:  Axioms.  The  (syntactical)  relation  on  formulas  $  ^  $ 
means  that  the  formulas  have  exactly  the  same  structure  except  tags  (that  isPtheir  untagged 
versions  are  the  same)rand  all  tags  of  $  are  subsets  of  the  corresponding  tags  of 


Figure  3:  Compositional  Proof  System:  Propositional  Inference  Rules. 


Figure  4:  Compositional  Proof  System:  Fixed  Point  Inference  Rules.  The  notation 
denotes  the  substitution  of  ^  for  JA  in  #. 
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Figure  5:  Compositional  Proof  System:  Modal  Inference  Rules.  Formulas  in  parentheses  are 
optionalFbut  if  some  ($A)  occurs  in  a  premiseFthen  it  must  occur  in  the  conclusion. 


(axiom) 

^rlU  *  •"A  ©1 

- ('Oa) 

«rllA  (c>4  f-A  (C)01 

- (rM,  rV) 

®rl|A  {c)9  hA#xK.({c>©i  V(6}K) 

- ((t2)) 

{«-!)$  rllA  (i?>{c}«  l-A  (6)/xy.((c)0i  V(6>r) 
- -(rV) 

(6!>  $  rllA  (6?>  (c> «  Ha  W  0i  v  <(.)  ©i  v  (6)  y) 

- (i-Zi) 

<6!)$rl|A  Ha  mK.((c>  ©i  v  (6>y) 

- (?(.)!) 

{a)  (6!)  $  rllA  {6?>  (c)  «  Ha  (a)  My.((c>  ©i  V  (6)  y ) 

_ (ri/,  /i/l,  /i/2) 

$  tIIa  'f  Ha  © 

Where 

6:  =  «)}  (a)  a:  V  (6)  y). 

5  Soundness. 

Soundness  of  the  proof  system  described  above  can  be  stated  as  the  following  theorem: 

Theorem  3.  (Soundness)  Assume  that  all  u-subformulas  in  $  and  ^  and  all  fi-subformulas  of 
0  have  empty  tags.  Then 

Fa  0  ^rlU^  1=a  ©• 
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Before  sketching  the  proof  we  state  the  following  lemma. 

Lemma  4.  (The  reduction  lemma  [16ri]).  Let  D  be  a  set  and  /  :  2^  2^  be  monotone  with 

respect  to  C.  Denote  operators  of  the  least  and  the  greatest  fixed  points  of  f  as  px.f{x)  and 
ux.f{x)  respectively.  Then 

(i)  U  C  ux.fix)  ^  UC  f{ux.{U  U  f{x))) 

(ii)  U  3  px.ffx)  4=4'  U  3  f{(j,x.{U  C\f{x))) 

Proof.  (Of  Theorem  3.  Sketch). 

We  show  soundness  of  the  proof  system  by  showing  that  all  axioms  and  rules  are  individually 
sound  (i.e.  axioms  are  valid  and  rules  preserve  validity).  For  most  of  the  rules  the  proof  is 
straightforward  but  tediousF using  Lemma  2.  The  soundness  of  the  fixed  point  rules  {lpl)r 
{lfi2)  and  (ri/)  follows  directly  from  Lemmas  1  and  4.  Fixed  point  axioms  are  valid  because 
of  the  monotonicity  of  composition  and  division  operators  (composition  is  monotone  on  both 
argumentsFdivision  is  antimonotone  on  the  first  argument  and  monotone  on  the  second) Fand 
the  following  relations: 

LCL'  =4'  [V  C  |  V  and  |  A  3  |  A 

U  cv  =4'  fix.{U  n  f{x))  c  IJ,X.{V  n  f{x))  and  ux.{U  U  f{x))  C  ux.{V  U  f{x)) 
for  a  monotone  /  as  in  Lemma  4. 

The  proof  of  soundness  was  completely  checked  using  the  theorem  prover  PVS  [13].  All  the 
inference  rules  are  encoded  as  theorems  and  can  be  used  as  rewrite  rules  when  a  proof  is  in 
progress.  The  completeness  of  the  system  is  still  an  open  problem. 


6  Implementation  in  PVS. 

The  Compositional  Proof  System  is  implemented  in  PVS  theorem  prover  [13].  The  main  ob¬ 
jectives  of  this  implementation  were  to  check  the  soundness  of  the  system  and  to  try  out  some 
relatively  small  proofs  in  the  system.  The  PVS  was  chosen  as  an  implementation  framework 
because  it  has  a  built-in  model  checker.  SoPboth  steps  of  the  verification  of  finite-state  systemsP 
i.e.  model  checking  the  components  and  deriving  the  global  propertyPcan  be  done  in  PVS.  We 
verified  two  examples  using  the  system:  (1)  Alternating  Bit  Protocol  (ABP)  [4r6]  and  (2) 
Milner’s  Scheduler  [12]. 

The  ABP  example  consists  of  three  parallel  processes  SendP  Medium  and  Receiver  combined 
together  by  two  parallel  composition  operators: 

ABP  =  ((Send  TsIIfm  Medium)  aIIph  Receive)  lA 
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with  appropriate  restriction  sets.  Each  individual  process  including  the  intermediate 

(Send  TsIIfm  Medium) 

has  its  own  specification.  The  specifications  for  the  ‘atomic’  processesEi.e.  Send,  Medium  and 
ReceiveEwere  directly  model  checked  using  SMV  [10].  The  specifications  of  compound  processes 
(i.e.  obtained  by  parallel  composition)  were  derived  from  the  components  in  the  proof  system. 

The  example  of  the  Milner’s  scheduler  is  more  involved  and  includes  induction  on  the  number 
of  parallel  processes.  There  are  only  two  very  simple  ‘atomic’  processes:  an  arbiter  p  and  a 
short  wire  sw.  A  scheduler  with  n  arbiters  is  defined  as 

S„  =  (BnrnlUn  SW{Hn})  1A„ 

and  the  body  B„  is  recursively  defined  by: 

Bi  =  (p{Hi})  lEx  ^ 

Bj+i  =  (Birillfli+i 

The  relabelling  H,-  is  used  to  rename  input  and  output  actions  so  that  they  would  not  cause 
any  confusion  among  different  copies  of  p. 

The  verification  was  done  by  induction  on  the  number  of  arbiters: 

•  Specifications  for  p  and  sw  were  model  checked; 

•  Assuming  proved  B„  [=  sw{.r:.„}  [=  ’J'^Ethe  sequent  ^nr„l|An^n  ®n  was 

derived  with  n  as  a  parameter; 

•  Also  assuming  p{Hn}  ^  0nEthe  sequent  $nr„||nn+i  ^n+i  br„+i  ^n+i  was  proved. 

After  model  checking  of  Bi  ]=  the  verification  was  complete.  ThusEwe  showed  that  for 
arbitrary  nES„  \=  ©n  by  induction  on  the  number  of  parallel  components. 

The  hardest  part  here  was  to  find  the  right  invariant  and  to  prove  the  sequent 

^nr„|ln„+i  </'n+l  br„+i  $n+l- 

The  chart  below  shows  the  proof  size  in  steps  for  several  sequents: 


Max  Formula 
length 

nesting 

depth 

altern. 

depth 

proof  steps 
(direct) 

proof  steps 
(simplified) 

17 

5 

2 

80 

80 

15 

3 

2 

23 

23 

23 

3 

2 

4.65  •  10** 

814 

The  column  “#  proof  steps  (simplified)”  refers  to  the  number  of  steps  without  repetitions  of 
identical  subproofs.  As  it  can  be  easily  seenEthe  naive  proof  tree  (“direct”  column)  contains  a 
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lot  of  repetitions  in  the  last  proof  (the  induction  step  for  the  Milner’s  Scheduler).  The  blowup 
was  caused  by  multiple  instances  of  bound  variables  in  fixed  point  operatorsFsince  the  unfolding 
of  fixed  points  produced  several  identical  copies  of  subformulas.  ThusFit  is  much  more  practical 
to  think  about  a  proof  DAG  (Directed  Acyclic  Graph)  rather  than  a  proof  tree.  UnfortunatelyF 
PVS  does  not  allow  to  detect  identical  subgoals  dynamically.  ThereforeFthis  proof  system  needs 
to  be  implemented  in  a  special  purpose  theorem  prover  designed  specifically  for  this  system. 


7  Conclusion. 

We  have  presented  a  Compositional  Proof  System  for  the  modal  ju-calculus  and  a  (more  general 
version  of  a)  parallel  composition  operator  of  CCS.  The  proof  system  allows  us  to  decompose 
a  verification  task  into  simpler  tasks  for  each  parallel  component.  For  exampleFin  the  finite 
state  caseFif  we  are  to  verify  that  a  process  term  of  the  form  (PrlU  Q)  f  A  has  a  property  0F 
we  can  reduce  this  task  to  showing  that  P  I F  satisfies  $  and  Q  t  A  satisfies  ^  for  some  suitably 
chosen  $  and  ^  for  which  we  can  derive  Fa  0  in  our  proof  system.  This  way  of 

compositional  reasoning  significantly  reduces  the  state  explosion  problem  arising  in  the  direct 
model  checking  method  [6].  In  generalFit  is  much  easier  to  model  check  two  properties  of  two 
components  arid  prove  a  sequent  ^rlU  ^  Fa  0Fthan  to  model  check  the  same  property  0  for 
the  result  of  the  parallel  composition  directly.  The  reason  is  that  in  the  finite-state  case  the 
parallel  composition  operator  often  causes  an  exponential  blow-up  of  the  number  of  statesFand 
one  may  easily  obtain  an  intractable  size  in  a  very  simple  example.  In  contrastFin  our  approach 
we  would  have  to  explore  only  several  relatively  small  state  spacesFand  when  formulas  are  not 
too  long  (which  is  often  the  case)Fproduce  tolerable  overhead  by  deriving  the  global  propertyF 
which  results  in  computationally  simpler  and  faster  verification.  Similar  reasons  work  in  the 
infinite-state  caseFexcept  that  we  have  to  compare  a  different  notion  of  complexity  rather  than 
the  number  of  states. 

Another  significant  advantage  of  the  approach  is  that  it  supports  a  compositional  design  in 
the  following  sense.  SupposeFwe  are  to  design  a  complex  system  consisting  of  dozens  (if 
not  hundreds  or  thousands)  of  parallel  components.  What  we  have  to  do  first  is  to  specify 
every  component  in  some  higher  level  specification  languageFand  then  make  sure  that  if  every 
specification  is  metFthen  the  whole  design  will  be  correct.  Our  compositional  proof  system  can 
naturally  assist  in  solving  this  problem  even  before  the  actual  implementation  has  startedFand 
one  may  save  significant  amount  of  effort  in  case  the  specifications  contain  a  subtle  but  crucial 
error.  MoreoverFafter  the  implementation  there  is  no  need  to  verify  the  entire  system.  InsteadF 
it  is  enough  to  prove  the  correctness  of  each  of  the  components  separatelyF  which  is  a  much 
simpler  task. 

There  are  many  open  problems  in  the  area.  To  mention  only  the  most  important  onesFwe  do 
not  know  if  the  proof  system  is  complete  in  general  or  for  any  particular  class  of  CCS  processes. 
Another  open  question  is  the  decidability  of  ^rlU  ^  Ha  ©•  A  positive  answer  would  make  a 
compositional  model  checking  problem  fully  automatic  and  possibly  tractable  for  virtually  any 
size  and  complexity  of  finite-state  systems. 
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In  future  we  plan  to  implement  this  system  more  efficiently  in  a  special  purpose  theorem  prover 
and  provide  a  better  input  language  for  writing  specifications  of  parallel  systems  and  their 
properties. 
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